Loading ...
Sorry, an error occurred while loading the content.

287385[Help] Postscreen let zombies to pass through

Expand Messages
  • Marco
    Jul 30, 2012
      Hello,

      I would ask help about a problem with my postscreen.
      I have four MX servers using postscreen with one shared memcached server.

      Sometimes, a zombi already blocked by dnsbl receive a PASS NEW instead of a
      reject. I can't understand why, maybe there is something wrong in my
      configuration. Cound you help me?

      Here it follows an example.

      Look at this:

      2012-07-26T14:26:35.049762+02:00 01as postfix/dnsblog[1109]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:35.096771+02:00 01as postfix/dnsblog[1112]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:35.271720+02:00 01as postfix/dnsblog[1111]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T16:05:10.807425+02:00 01as postfix/dnsblog[6435]: addr 84.15.191.254
      listed by domain zen.dnsbl as 127.0.0.4
      2012-07-26T16:05:10.854882+02:00 01as postfix/dnsblog[6433]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T16:05:10.866129+02:00 01as postfix/dnsblog[6440]: addr 84.15.191.254
      listed by domain bl.spamcop.net as 127.0.0.2


      For a reason I can't know at 14h26.35 postscreen starts to "pass new" a zombi
      that have a rank 7 of dnsbl:


      2012-07-26T14:26:30.587633+02:00 02as postfix/dnsblog[22895]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:30.588483+02:00 02as postfix/dnsblog[22903]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:32.681261+02:00 04as postfix/postscreen[27121]: CONNECT from
      [84.15.191.254]:46110 to [158.102.109.70]:25
      2012-07-26T14:26:32.682406+02:00 04as postfix/dnsblog[967]: addr 84.15.191.254
      listed by domain dnsbl-1.uceprotect.net as 127.0.0.2
      2012-07-26T14:26:32.683251+02:00 04as postfix/dnsblog[969]: addr 84.15.191.254
      listed by domain bl.spamcop.net as 127.0.0.2
      2012-07-26T14:26:32.684259+02:00 04as postfix/dnsblog[965]: addr 84.15.191.254
      listed by domain zen.dnsbl as 127.0.0.4
      2012-07-26T14:26:32.684635+02:00 04as postfix/dnsblog[969]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T14:26:32.685046+02:00 04as postfix/dnsblog[967]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:32.685602+02:00 04as postfix/dnsblog[966]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:34.965295+02:00 01as postfix/dnsblog[1127]: addr 84.15.191.254
      listed by domain dnsbl-1.uceprotect.net as 127.0.0.2
      2012-07-26T14:26:35.025988+02:00 01as postfix/dnsblog[1122]: addr 84.15.191.254
      listed by domain bl.spamcop.net as 127.0.0.2
      2012-07-26T14:26:35.049762+02:00 01as postfix/dnsblog[1109]: addr 84.15.191.254
      listed by domain psbl.surriel.com as 127.0.0.2
      2012-07-26T14:26:35.096771+02:00 01as postfix/dnsblog[1112]: addr 84.15.191.254
      listed by domain ubl.unsubscore.com as 127.0.0.2
      2012-07-26T14:26:35.271720+02:00 01as postfix/dnsblog[1111]: addr 84.15.191.254
      listed by domain dnsbl.sorbs.net as 127.0.0.7
      2012-07-26T14:26:35.460592+02:00 01as postfix/postscreen[15252]: NOQUEUE:
      reject: RCPT from [84.15.191.254]:21751: 450 4.3.2 Service current
      ly unavailable; from=<briskedi0@...>, to=<cafone.esposito@...>,
      proto=ESMTP, helo=<[84.15.191.254]>
      2012-07-26T14:26:35.614905+02:00 01as postfix/postscreen[15252]: HANGUP after
      0.59 from [84.15.191.254]:21751 in tests after SMTP handshake
      2012-07-26T14:26:35.614917+02:00 01as postfix/postscreen[15252]: PASS NEW
      [84.15.191.254]:21751
      2012-07-26T14:26:35.616633+02:00 01as postfix/postscreen[15252]: DISCONNECT
      [84.15.191.254]:21751
      2012-07-26T14:26:36.013039+02:00 02as postfix/postscreen[678]: DNSBL rank 7 for
      [84.15.191.254]:21516
      2012-07-26T14:26:36.456085+02:00 02as postfix/postscreen[678]: NOQUEUE: reject:
      RCPT from [84.15.191.254]:21516: 550 5.7.1 Service unavailab
      le; client [84.15.191.254] blocked using dnsbl-1.uceprotect.net;
      from=<savoywk5@...>, to=<erminio.ottone@...>, pro
      to=ESMTP, helo=<[84.15.191.254]>
      2012-07-26T14:26:36.596920+02:00 02as postfix/postscreen[678]: HANGUP after 0.58
      from [84.15.191.254]:21516 in tests after SMTP handshake
      2012-07-26T14:26:36.596932+02:00 02as postfix/postscreen[678]: DISCONNECT
      [84.15.191.254]:21516
      2012-07-26T14:26:38.033424+02:00 04as postfix/postscreen[27121]: DNSBL rank 7
      for [84.15.191.254]:46110
      2012-07-26T14:26:38.449749+02:00 04as postfix/postscreen[27121]: NOQUEUE:
      reject: RCPT from [84.15.191.254]:46110: 550 5.7.1 Service unavail
      able; client [84.15.191.254] blocked using dnsbl.sorbs.net;
      from=<entrancesyo2@...>, to=<apollonio@...>, proto=ESMTP, hel
      o=<[84.15.191.254]>
      2012-07-26T14:26:38.609379+02:00 04as postfix/postscreen[27121]: HANGUP after
      0.58 from [84.15.191.254]:46110 in tests after SMTP handshake
      2012-07-26T14:26:38.609390+02:00 04as postfix/postscreen[27121]: DISCONNECT
      [84.15.191.254]:46110
      2012-07-26T14:26:51.459052+02:00 03as postfix/postscreen[31870]: CONNECT from
      [84.15.191.254]:21836 to [158.102.109.69]:25
      2012-07-26T14:26:51.459249+02:00 03as postfix/postscreen[31870]: PASS OLD
      [84.15.191.254]:21836
      2012-07-26T14:26:51.641323+02:00 03as postfix/smtpd[16634]: connect from
      unknown[84.15.191.254]
      2012-07-26T14:26:51.972631+02:00 03as postfix/smtpd[16634]: ED6BA596F3A:
      client=unknown[84.15.191.254]
      2012-07-26T14:26:52.408466+02:00 03as amavis[18028]: (18028-08) Checking:
      MFeWLMK8XN0s [84.15.191.254] <peritoneumsob86@...> ->
      <ziopino@...>
      2012-07-26T14:26:52.489638+02:00 03as postfix/smtpd[16634]: disconnect from
      unknown[84.15.191.254]
      2012-07-26T14:26:53.018148+02:00 03as amavis[18028]: (18028-08) Blocked SPAM,
      [84.15.191.254] [84.15.191.254] <peritoneumsob86@...
      -> <ziopino@...>, quarantine: MFeWLMK8XN0s[30], Message-ID:
      <FUMM6H-Q9Z2GZ-X6@...>, ma
      il_id: MFeWLMK8XN0s, Hits: 10.429, size: 3464, pt: 30, 662 ms [...]

      Why did this happens?

      The postscreen conf is the same on all MX servers:

      [root@01as ]# postconf -n | grep postscreen
      postscreen_access_list = permit_mynetworks, cidr:/etc/postfix
      /postscreen_access.cidr
      postscreen_bare_newline_action = enforce
      postscreen_bare_newline_enable = yes
      postscreen_blacklist_action = drop
      postscreen_cache_map = memcache:/etc/postfix/memcache-postscreen.cf
      postscreen_dnsbl_action = enforce
      postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen-dnsbl-reply-map
      postscreen_dnsbl_sites = zen.dnsbl*2 bl.spamcop.net*1 b.barracudacentral.org*1
      dnsbl.sorbs.net*1 psbl.surriel.com*1 ubl.unsubscore.com*1
      dnsbl-1.uceprotect.net*1 dnsbl-2.uceprotect.net*1 dnsbl-3.uceprotect.net*2
      postscreen_dnsbl_threshold = 2
      postscreen_greet_action = enforce
      postscreen_greet_banner = ucas.csi.it ESMTP $mail_name. I don't remember of you,
      I'll check your mind!
      postscreen_greet_ttl = 7d
      postscreen_non_smtp_command_enable = yes
      postscreen_pipelining_enable = yes
      mail_version = 2.9.1


      This is the content of memcache-postscreen.cf, identical on all MX servers:

      [root@01as ]# cat /etc/postfix/memcache-postscreen.cf
      memcache = inet:01as:11211
      backup = btree:/var/lib/postfix/postscreen_cache

      # TTL if you don't use backup
      ttl = 2592000

      # Remember
      # postscreen_cache_cleanup_interval = 0



      # on ALL instances if you DON'T use backup.



      Thank you very much for every hints.
      Regards
      Marco
    • Show all 5 messages in this topic